CVE-2023-23397 (CVSSv3 Score: 9.8 – Critical) – Microsoft Outlook Elevation of Privilege Vulnerability
This zero-day is a critical privilege escalation vulnerability in Microsoft Outlook that could allow an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. To achieve this, a threat actor could send a specially crafted email that will cause a connection from the victim to an external UNC location of adversarial control. The victim’s Net-NTLMv2 hash will be leaked to the attacker who can then relay this to another service and authenticate as the victim. What makes this dangerous is that the flaw will be triggered before the email is viewed in the Preview Pane, no user interaction is required.
Microsoft says that this vulnerability was exploited by STRONTIUM, which is a state-sponsored Russian hacking group. Between mid-April and December 2022, CVE-2023-23397 was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations.
CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
- Customers can disable the WebClient service running on their organization’s machines.
- This will block all WebDAV connections including intranet which may impact users or applications.
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.
- See Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
- This process is claimed to be insufficient due to the vulnerability’s ability to be exploited on any port if WebClient is running.
- Microsoft recommends all customers (on-premises, hybrid or online) to install Outlook updates.
- Exchange March SU does not address CVE-2023-23397, you need to install Outlook updates to address this vulnerability in Outlook.
Microsoft has released a PowerShell script to help admins validate if any users in their Exchange environment have been targeted using this Outlook vulnerability. The script checks Exchange messaging items to see whether a property is populated with a UNC path. Admins could also use this script to clean up the property for items that are malicious or even delete the items permanently.
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
Exploitation for Privilege Escalation
Exploitation for Credential Access
Pass the Hash
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.
As always, if we detect activity related to these exploits, we will alert you if warranted.
Please feel free to contact the SOC via email (firstname.lastname@example.org) or telephone (844-474-1244) if you have any questions or concerns.
Microsoft Customer Guidance
- CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability
Resources & Related Articles
- Microsoft Zero-Day Bugs Allow Security Feature Bypass
- Microsoft fixes Outlook zero-day used by Russian hackers since April 2022
- Microsoft patches zero-days used by state-sponsored and…
- Microsoft’s March 2023 Patch Tuesday Addresses 76 CVEs (CVE-2023-23397)
- Microsoft stops two zero-days for March Patch Tuesday | TechTarget
- Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities